Bug#1026078: bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650
Thomas, On Fri, Mar 17, 2023 at 05:37:54PM +, Jonathan Wiltshire wrote: > Control: tag -1 moreinfo > > On Wed, Dec 14, 2022 at 11:52:16AM +0100, Thomas Goirand wrote: > > I have prepared an update for Ceph in Bullseye to address > > CVE-2022-3650 (ie: ceph to root privilege escalation). > > The security team already told me that there will be no DSA. > > Your upload doesn't match the debdiff on this bug (see > https://release.debian.org/proposed-updates/bullseye_diffs/ceph_14.2.21-1+deb11u1.debdiff). > Is that intentional or did something go wrong? Have you seen the question from Jonathan? Right now it was not accepted, respectively hold back, see https://release.debian.org/proposed-updates/stable.html and thus will miss the next point release. Regards, Salvatore
Bug#1026078: bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650
Control: tag -1 moreinfo On Wed, Dec 14, 2022 at 11:52:16AM +0100, Thomas Goirand wrote: > I have prepared an update for Ceph in Bullseye to address > CVE-2022-3650 (ie: ceph to root privilege escalation). > The security team already told me that there will be no DSA. Your upload doesn't match the debdiff on this bug (see https://release.debian.org/proposed-updates/bullseye_diffs/ceph_14.2.21-1+deb11u1.debdiff). Is that intentional or did something go wrong? -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Processed: Re: Bug#1026078: bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650
Processing control commands: > tag -1 moreinfo Bug #1026078 [release.debian.org] bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650 Added tag(s) moreinfo. -- 1026078: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026078 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed: Re: Bug#1026078: bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650
Processing control commands: > tag -1 confirmed Bug #1026078 [release.debian.org] bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650 Added tag(s) confirmed. -- 1026078: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026078 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1026078: bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650
Control: tag -1 confirmed On Wed, Dec 14, 2022 at 11:52:16AM +0100, Thomas Goirand wrote: > I have prepared an update for Ceph in Bullseye to address > CVE-2022-3650 (ie: ceph to root privilege escalation). > The security team already told me that there will be no DSA. Please go ahead with the distribution label fixed. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1026078: bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650
Hi Thomas, On Wed, Dec 14, 2022 at 11:52:16AM +0100, Thomas Goirand wrote: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > > Hi, > > I have prepared an update for Ceph in Bullseye to address > CVE-2022-3650 (ie: ceph to root privilege escalation). > The security team already told me that there will be no DSA. > > [ Reason ] > (Explain what the reason for the (old-)stable update is. I.e. > what is the bug, when was it introduced, is this a regression > with respect to the previous (old-)stable.) > > [ Impact ] > Anyone logged as Ceph can become root whenever there's a disk > event without the attached patch. > > [ Tests ] > Upstream runs functional test suite, and I trust it. > > [ Risks ] > The code is quite trivial and easy to backport (python code). > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > The Python code checks input better and avoid privilege escalation. > See attached debdiff, it's quite readable. > > Cheers, > > Thomas Goirand (zigo) > diff -Nru ceph-14.2.21/debian/changelog ceph-14.2.21/debian/changelog > --- ceph-14.2.21/debian/changelog 2021-05-27 12:04:21.0 +0200 > +++ ceph-14.2.21/debian/changelog 2022-11-30 14:20:19.0 +0100 > @@ -1,3 +1,10 @@ > +ceph (14.2.21-1+deb11u1) bullseye-security; urgency=medium > + > + * CVE-2022-3650: privilege escalation from the ceph user to root. Applied > +upstream patches (Closes: #1024932). For the upload via bullseye-pu the target distribution needs to be changed as well to 'bullseye'. Regards, Salvatore
Bug#1026078: bullseye-pu: package ceph/14.2.21-1 CVE-2022-3650
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
Hi,
I have prepared an update for Ceph in Bullseye to address
CVE-2022-3650 (ie: ceph to root privilege escalation).
The security team already told me that there will be no DSA.
[ Reason ]
(Explain what the reason for the (old-)stable update is. I.e.
what is the bug, when was it introduced, is this a regression
with respect to the previous (old-)stable.)
[ Impact ]
Anyone logged as Ceph can become root whenever there's a disk
event without the attached patch.
[ Tests ]
Upstream runs functional test suite, and I trust it.
[ Risks ]
The code is quite trivial and easy to backport (python code).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The Python code checks input better and avoid privilege escalation.
See attached debdiff, it's quite readable.
Cheers,
Thomas Goirand (zigo)
diff -Nru ceph-14.2.21/debian/changelog ceph-14.2.21/debian/changelog
--- ceph-14.2.21/debian/changelog 2021-05-27 12:04:21.0 +0200
+++ ceph-14.2.21/debian/changelog 2022-11-30 14:20:19.0 +0100
@@ -1,3 +1,10 @@
+ceph (14.2.21-1+deb11u1) bullseye-security; urgency=medium
+
+ * CVE-2022-3650: privilege escalation from the ceph user to root. Applied
+upstream patches (Closes: #1024932).
+
+ -- Thomas Goirand Wed, 30 Nov 2022 14:20:19 +0100
+
ceph (14.2.21-1) unstable; urgency=high
* New upstream release, resolving these:
diff -Nru
ceph-14.2.21/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch
ceph-14.2.21/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch
---
ceph-14.2.21/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch
1970-01-01 01:00:00.0 +0100
+++
ceph-14.2.21/debian/patches/CVE-2022-3650_1_ceph-crash_drop_privleges_to_run_as_ceph_user_rather_than_root.patch
2022-11-30 14:20:19.0 +0100
@@ -0,0 +1,61 @@
+Description: CVE-2022-3650: ceph-crash: drop privleges to run as "ceph" user,
rather than root
+ If privileges cannot be dropped, log an error and exit. This commit
+ also catches and logs exceptions when scraping the crash path, without
+ which ceph-crash would just exit if it encountered an error.
+Author: Tim Serong
+Date: Wed, 2 Nov 2022 14:27:47 +1100
+Bug: https://tracker.ceph.com/issues/57967
+Signed-off-by: Tim Serong
+Origin: upstream,
https://github.com/ceph/ceph/commit/130c9626598bc3a75942161e6cce7c664c447382
+Bug-Debian: https://bugs.debian.org/1024932
+Last-Update: 2022-11-28
+
+--- ceph-14.2.21.orig/src/ceph-crash.in
ceph-14.2.21/src/ceph-crash.in
+@@ -3,8 +3,10 @@
+ # vim: ts=4 sw=4 smarttab expandtab
+
+ import argparse
++import grp
+ import logging
+ import os
++import pwd
+ import socket
+ import subprocess
+ import sys
+@@ -76,7 +78,23 @@ def scrape_path(path):
+ )
+
+
++def drop_privs():
++if os.getuid() == 0:
++try:
++ceph_uid = pwd.getpwnam("ceph").pw_uid
++ceph_gid = grp.getgrnam("ceph").gr_gid
++os.setgroups([])
++os.setgid(ceph_gid)
++os.setuid(ceph_uid)
++except Exception as e:
++log.error(f"Unable to drop privileges: {e}")
++sys.exit(1)
++
++
+ def main():
++# run as unprivileged ceph user
++drop_privs()
++
+ args = parse_args()
+ postdir = os.path.join(args.path, 'posted')
+ if args.name:
+@@ -88,7 +106,10 @@ def main():
+
+ log.info("monitoring path %s, delay %ds" % (args.path, args.delay * 60.0))
+ while True:
+-scrape_path(args.path)
++try:
++scrape_path(args.path)
++except Exception as e:
++log.error(f"Error scraping {args.path}: {e}")
+ if args.delay == 0:
+ sys.exit(0)
+ time.sleep(args.delay * 60)
diff -Nru
ceph-14.2.21/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch
ceph-14.2.21/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch
---
ceph-14.2.21/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch
1970-01-01 01:00:00.0 +0100
+++
ceph-14.2.21/debian/patches/CVE-2022-3650_2_ceph-crash_fix_stderr_handling.patch
2022-11-30 14:20:19.0 +0100
@@ -0,0 +1,24 @@
+Description: CVE-2022-3650: ceph-crash: fix stderr handling
+ Popen.communicate() returns a tuple (stdout, stderr), and stderr
+ will be of type bytes, hence the need to decode it before checking
+ if it's an empty string or not.
+Author: Tim Serong
+Date: Wed, 2 Nov 2022 14:23:20 +1100
+Bug: a77b47eeeb5770eeefcf4619ab2105ee7a6a003e
+Signed-off-by: Tim Serong
+Bug-Debian: https://bugs.debian.org/1024932
